Skip to content
Privacy Policy

How Revvye handles data.

Revvye is built around public-surface website analysis. This page explains what we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over your data.

Last updated: June 30, 2026

1. Who we are

Revvye (“Revvye,” “we,” “us”) is operated by its founder as a sole proprietorship. Legal entity registration is in progress; this section will name the registered entity when complete.

Revvye is a revenue-leak diagnostic for any business with a website. We scan public website surfaces, score the leaks we find, and offer paid reports and services on top of those findings. This privacy policy describes how we treat personal information across all free and paid Revvye products.

Privacy questions, data-rights requests, and policy concerns: privacy@revvye.com or support@revvye.com. Postal contact will be published when entity registration completes; until then, use the support email.

2. What we collect

We collect five categories of information. Each is described below.

Account data

Email address, name (optional), company or business name, and a password hash maintained by Supabase Auth. We do not store passwords in plain text. If you sign in via OAuth, we receive only the profile fields the provider exposes.

Submitted data

The URLs you submit for scanning, plus the public-page HTML, robots.txt directives, sitemap entries, structured data, Open Graph metadata, and performance signals our scanner fetches from those URLs. We scan public pages only; we do not access password-protected content, customer accounts, CRMs, or private systems.

Payment data

Payment processing is handled by Stripe. We never see, store, or transmit full card numbers. Stripe returns to us only the metadata we need to complete the order: a customer ID, the last four digits of the card, the billing country, the order amount, and a receipt URL. Card data is governed by Stripe’s privacy policy and PCI program.

Usage and telemetry

Google Consent Mode defaults analytics storage to denied. Google Analytics may receive cookieless consent-state measurement pings; analytics cookies and custom usage events require acceptance. Server-side request logs are retained briefly for security and debugging.

Communications

Anything you email us, send through a contact form, or share in support requests. We retain those messages so we can follow up and so future support agents have context.

3. Why we collect it

Each category has a specific lawful basis. We do not collect data “just in case.”

Contract performance. Account data, submitted scan URLs, and payment data are processed because we need them to provide the service you signed up for: running scans, returning results, and charging for paid unlocks.

Legitimate interest. Usage analytics and security logs are processed to keep the platform reliable, prevent abuse, and improve the product. We try to keep this minimal.

Consent. Marketing emails, newsletters, and any non-transactional communications are sent only with your consent. You can withdraw that consent at any time using the unsubscribe link or by emailing privacy@revvye.com.

Legal obligation. We retain financial records to comply with tax, accounting, and dispute-resolution obligations.

4. Who we share it with (sub-processors)

Revvye is a small operation that runs on a focused set of vendors. Each vendor touches a narrow slice of data.

  • Supabase— primary database, authentication, and file storage. Stores your account record, scan inputs, scan results, paid-unlock records, and any uploaded artifacts. Data residency: US region by default.
  • Stripe— payment processing for paid reports and services. PCI compliance is handled by Stripe; we never receive full card data. Stripe stores customer records, payment methods, charges, and refund history.
  • Cloudflare— application hosting, DNS, and edge caching/CDN for the Revvye site. Touches request metadata (IP, user agent, request path) for delivery and protection.
  • Google Analytics 4 (Google LLC)— website analytics using Consent Mode v2. Cookieless consent-state measurement may occur while storage is denied; accepted visitors may send page views, traffic sources, approximate location derived from IP, and device/browser metadata. Data handling on Google’s side is governed by Google’s privacy policy.
  • Brevo— transactional email delivery (order confirmations, report delivery, account and alert emails). Receives the recipient email address and the message content needed to send each email.

The Revvye scan worker runs in an isolated browser container on our compute provider and writes results into Supabase. No scan data is shared with third parties outside this list.

If your website was scanned by a Revvye user and you would like to request the scan record or its deletion, contact privacy@revvye.com. Revvye scans only public pages, but you have the right to ask for the record we hold.

5. How long we keep it

Concrete retention periods, not vague language.

  • Account data— kept while your account is active, plus 90 days after a deletion request. After that, only records we’re legally required to retain remain.
  • Scan data and public-page artifacts— 12 months from the date of the scan, or until you request deletion, whichever comes first. Scans tied to paid orders are retained for the full 12 months for support and dispute purposes.
  • Payment records— 7 years, as required by US tax and accounting rules. This covers invoices, charges, and refund history; no card data is held by us.
  • Analytics— user-level and event-level data is retained in Google Analytics 4 per our retention setting (at most 14 months, Google’s ceiling for standard properties); aggregated reporting data may persist longer on Google’s systems.
  • Communications— support emails are retained for 24 months for follow-up context.

We may retain anonymized, aggregated data (no identifiers, no IP, no URLs) longer to improve methodology and benchmark outputs. Aggregate data cannot be re-linked to you.

6. Your rights

You have rights over the data we hold about you. We will respond to verified requests within 30 days.

You may request to (a) access the data we hold, (b) correct inaccurate data, (c) delete your data, (d) export a portable copy, (e) object to a particular processing activity, or (f) withdraw consent for marketing communications. Email privacy@revvye.com with the request and we will verify your identity before acting.

Some retention obligations (financial records, fraud prevention, security logs) may require us to keep limited records even after a deletion request. We will tell you which records were retained and why.

7. EU/UK and California residents

Region-specific notices for users covered by GDPR/UK GDPR and the California Consumer Privacy Act / California Privacy Rights Act.

EU and UK residents. The lawful bases for processing your personal data are listed in section 3 (contract performance, legitimate interest, consent, legal obligation). You have the right to lodge a complaint with your local supervisory authority. International transfers from the EU/UK to the United States rely on Standard Contractual Clauses where applicable.

California residents. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. Under the California Consumer Privacy Act and the California Privacy Rights Act you have the right to know what we collect, to delete it, to correct it, to limit the use of sensitive personal information, and to not be retaliated against for exercising those rights. To exercise these rights, contact privacy@revvye.com.

8. Cookies and tracking

What we set and why. You can block or limit any of these in your browser.

Functional cookies are set by Supabase Auth (session token) and Cloudflare (security, load balancing). These are required for the site to work.

Analytics cookies are set by Google Analytics 4 (Google’s gtag script, _ga and related cookies) to measure page views and traffic sources after acceptance. Before acceptance, analytics storage remains denied, though cookieless consent-state pings may be sent. Use the Cookie preferences control in the footer to reopen the choice, or clear cookies in your browser. We do not currently detect or honor Do Not Track or Global Privacy Control signals. You may also email privacy@revvye.com with a request.

Stripe cookies are set inside the Stripe checkout iframe for fraud detection and to keep the checkout session active. These are governed by Stripe’s policies.

9. Security

What we do. We are not making zero-breach guarantees.

All traffic to Revvye uses TLS in transit. The database underneath the platform uses encryption at rest provided by Supabase. Access to production systems is restricted to a small number of credentialed operators and audited.

No system is unbreakable. If you become aware of a security issue, contact security@revvye.com. If a breach affects your data, we will notify you and the relevant authorities within the windows our jurisdiction requires.

10. Children

Revvye is a B2B service for adults running businesses.

Revvye is not intended for children under 13 (United States) or under 16 (European Union and United Kingdom). We do not knowingly collect personal data from children. If you believe a child has used Revvye, contact privacy@revvye.com and we will delete the record.

11. Changes to this policy

We will tell you when this changes.

When we make material changes to this policy we will update the “Last updated” date at the top of the page and notify account holders by email or by a banner on the site at least 30 days before the change takes effect for existing data. Continued use of Revvye after the effective date means the updated policy applies going forward.

12. Contact

One inbox for privacy questions and one for general support.

Privacy and data-rights requests: privacy@revvye.com.

General support and refund requests: support@revvye.com.

Revvye is operated by its founder as a sole proprietorship; legal entity registration is in progress, and this section will name the registered entity when complete. Postal contact will be published when entity registration completes; until then, use the support email.